b', t 09/20/07           15:28 FAX 301 903 4656              CAPITAL REGION                                           0 j002\n\n\n\n SDOEF 1325.8\n   (8-89)\n  EFG (0790)\n                                                                                                              Energy\n\n United States Government                                                                       Department of Energy\n\n\n  Memorandum\n                                                                                   Audit Report No.: OAS-L-07-23\n               DATE.   September 18, 2007\n        REPLY TO:      IG-34 (A07TG036)\n\n        SUBJECT:       Evaluation of "The Federal Energy Regulatory Commission\'s Cyber Security Program-2007"\n                 TO: Chairman, Federal Energy Regulatory Commission\n\n                                                                                         evaluation of the Federal\n                       The purpose of this report is to inform you of the results o Four\n                                                                                                    The evaluation\n                       Energy Regulatory Commission\'s (Commission) cyber security program.                 2007. Our\n                       was initiated in May 2007, and our fieldwork was conducted through September\n                       methodology is described in the attachment to this report.                                            .\n\n                        INTRODUCTION AND OBJECTIVE\n\n                        The Commission reports that it is constantly improving thl stability, reliability, and\n                        security of its information technology (IT) infrastructure and data repositories to help\n                        achieve their mission to regulate and oversee energy indusitries in the economic,\n                        environmental, and safety interests of the American public. To accomplish this, the\n                        Commission estimated that, in Fiscal Year 2007, it spent almost $1 million to protect its\n                        $ 26.1 million IT investment from cyber-related threats.\n\n                        As required by the FederalInformation Security Management Act (FISMA) and the\n                        Office of Management and Budget (OMB) implementing guidance, the Office of\n                        Inspector General performed an annual independent evaluation of the Commission\'s\n                        cyber security program. This evaluation is designed to as:sess the adequacy and\n                        effectiveness of information security policies, procedures, and practices, and\n                        compliance with FISMA requirements.\n\n                        CONCLUSIONS AND OBSERVATIONS\n\n                        Overall, we continued to note improvements in the Commission\'s cyber security\n                                                                                           to strengthen its\n                        program. In the past year the Commission had taken several actions\n                        cyber security program. In particular, it:\n\n                            *   Strengthened password management and corrected prior year problems\n                                concerning the use of default, blank, or easily guessed passwords;\n\n                            *   Corrected previously reported issues and updated procedures relating to\n                                identifying and promptly disabling unused network accounts;\n\x0c09/20/07   15:29 FAX 301 903 4656                CAPITAL REGION                                           [ 003\n\n\n\n\n                                                                              process and\n               *     Implemented a more robust cyber security self-assessment\n                     corrected prior year problems in this area; and,\n\n               *     In response to OMB requirements, developed policies and procedures for\n                     protecting personally identifiable information.\n\n                                                                                              risk\n            During our current evaluation, we noted an issue related to the completion of\n            management activities and security planning for a major financial processing system,\n            the Management Administrative and Payroll System (MAPS). The Commission\n            considers this application critical to its operations and uses it to provide human\n            resources services such as payroll, benefits, time and labor functions, as well as\n           . financial functions, including general ledger, accounts receivables, and purchasing.\n             Although MAPS underwent a significant software upgrade in 2005, officials did not\n             initiate action until early 2007 to begin a required reaccreditation of the system.\n             Because of the nature of the software upgrade, significanv: changes occurred both in the\n             manner in which data was processed and how it was tranimitted - a situation that could\n             have potentially introduced security vulnerabilities or increased the risk associated with\n             system operation.\n             In response to our query regarding MAPS, Commission oificials indicated that they had\n             started a comprehensive certification process in January 2007, and have completed a\n             number of important parts of the effort. An asset categorization statement had been\n              developed, a privacy impact assessment completed, and a self assessment - including a\n              contingency plan and configuration plan review - and a security review have been\n              performed. Two remaining items, the risk assessment and. system security plan, are\n              expected to be completed by September 30, 2007.\n\n            SUGGESTED ACTION\n\n            We suggest that the Executive Director ensure that the ongoing risk assessment and re-\n            certification of the MAPS system fully consider the risk posed by the software upgrade\n            and modify system controls, if necessary.\n\n            Since no formal recommendations are being made in this letter report, a formal\n            response is not required. We appreciate the operation of your staff throughout the\n            audit.\n\n\n                                                    vck       .Hass\n                                                  Assistant Inspector General \'\n                                                    for Financial, Technology, and Corporate Audits\n                                                  Office of Audit.Services\n                                                  Office of Inspector General\n\n             Attachment\n\n             cc:      Executive Director, FERC\n                       Chief of Staff, DOE\n                                                          2\n\x0c09/20/07   15:29 FAX 301 903 4656               CAPITAL REGION                                          16004\n\n\n\n\n                                                                                        Attachment\n\n                                      SCOPE AND METHODOLOGY\n\n\n           SCOPE AND METHODOLOGY\n                                                                                              Energy\n           The evaluation was performed between May and September 2007 at the Federal\n                                                                                        Specifically,\n           Regulatory Commission (Commission) Headquarters in Washington, DC.\n                                                                                unclassified cyber\n           we performed an evaluation of the Commission\'s Fiscal Year 2007                   controls\n           security program. The evaluation included a review of gcaeeral and application\n                                                                                        software\n           in areas such as entity-wide security planning, access controls, application\n                                                                             continuity.  Our work\n           development, change controls, segregation of duties and service\n                                                                                            exploited\n           did not include a determination of whether vulnerabilities found were actually\n           and used to circumvent existing controls.\n\n           To evaluate the adequacy and effectiveness of the Commission\'s information security\n           policies and practices, we:\n\n                   * Reviewed the Commission\'s overall cyber security program to evaluate the\n                     adequacy and effectiveness of information security policies, procedures, and\n                     practices, and compliance with the requirements o:fthe FederalInformation\n                     Security Management Act (FISMA);\n\n               *     Reviewed Federal statutes and guidance applicable to ensuring the effectiveness\n                     of information security controls over information resources supporting Federal\n                     operations and assets such as FISMA guidance and Circular A-130 Appendix\n                     III, and National Institute of Standards and Technology standards and guidance;\n\n                *    Assessed controls over network operations to dete:rmine the effectiveness\n                     related to safeguarding information resources fronm unauthorized internal and\n                     external sources;\n\n                *    Evaluated the Commission in conjunction with its annual audit of the Financial\n                     Statements, utilizing work performed by KPMG, LLP (KPMG), the Office of\n                     Inspector General\'s (OIG) contract auditor. KPMG\'s efforts included analysis\n                     and testing of general and application controls for systems as well as\n                     vulnerability scanning of networks; and,\n\n                *     Analyzed OIG reports issued between 2004 and 2006 and reviewed other audits\n                      and evaluations performed by Government Accountability Office and the Office\n                      of Management and Budget.\n                                                                                                and\n            We evaluated the Commission\'s implementation of the Government Performance\n                                                                                          to\n            Results Act of 1993 and did not identify any performance measures specific\n                                                          solely on comnputer-processed  data to\n            unclassified cyber security. We did not rely\n            satisfy our objectives. However, computer assisted audit tools  were used  to perform\n            probes of various networks and devices. We validated the results of the scans by\n                                                        3\n\x0c09/20/07   15:29 FAX 301 903 4656                CAPITAL REGION             _i                             005\n\n\n\n\n                                                                               and performed other\n           confirming the weaknesses disclosed with Commission of icials\n                                                                     cor ipetence of the data produced\n           procedures to satisfy ourselves as to the reliability and\n           by the tests.\n                                                                                      Government\n           The evaluation was conducted in accordance with generally accepted\n                                                      and  included  tents of  internal controls and\n           auditing standards for performance audits\n                                                                            to  satisfy our objective.\n           compliance with laws and regulations to the extent necessary\n           Accordingly, we assessed internal controls regarding the development and\n                                                                                limited, it would not\n           implementation of automated systems. Because our review was\n                                                                                          existed at the\n           necessarily have disclosed all internal control deficiencies that may have\n           time of our evaluation.\n\n           Commission officials waived the exit conference.\n\n\n\n\n                                                            4\n\x0c'